CVE-2018-16300 – This vulnerability in tcpdump's BGP parser allo... (How to Fix)

Q: What is the severity of CVE-2018-16300?

CVE-2018-16300 has a CVSS score of 7.5 (HIGH). This vulnerability in tcpdump's BGP parser allows attackers to cause a stack overflow through unlimited recursion in the bgp_attr_print() function. This can lead to denial of service (crash) or potentially arbitrary code execution. Anyone using tcpdump to analyze BGP traffic is affected.

📋 TL;DR

This vulnerability in tcpdump's BGP parser allows attackers to cause a stack overflow through unlimited recursion in the bgp_attr_print() function. This can lead to denial of service (crash) or potentially arbitrary code execution. Anyone using tcpdump to analyze BGP traffic is affected.

💻 Affected Systems

Products:

tcpdump

Versions: All versions before 4.9.3

Operating Systems: All operating systems running vulnerable tcpdump versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when parsing BGP packets. Systems using tcpdump with BGP protocol analysis enabled are at risk.

📦 What is this software?

Tcpdump by Tcpdump

View all CVEs affecting Tcpdump →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise if the stack overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Denial of service through tcpdump crash when processing malicious BGP packets, potentially disrupting network monitoring.

🟢

If Mitigated

Limited to tcpdump process crash with no system-wide impact if proper privilege separation is in place.

🌐 Internet-Facing: MEDIUM - tcpdump is typically used internally for packet analysis, but could be exposed if used on perimeter monitoring systems.

🏢 Internal Only: MEDIUM - tcpdump is commonly used by network administrators and security teams for internal traffic analysis.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted BGP packets that tcpdump processes. The vulnerability is in the parser itself, not requiring authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Update tcpdump to version 4.9.3 or later using your package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade tcpdump' (Debian/Ubuntu) or 'sudo yum update tcpdump' (RHEL/CentOS). 3. Verify installation with 'tcpdump --version'.

🔧 Temporary Workarounds

Disable BGP parsing

all

Avoid parsing BGP packets by using tcpdump filters to exclude BGP traffic

tcpdump not port 179
tcpdump not proto bgp

Limit tcpdump privileges

linux

Run tcpdump with reduced privileges to limit potential damage

sudo -u nobody tcpdump [options]

🧯 If You Can't Patch

Restrict tcpdump usage to trusted users only and monitor for crashes
Implement network segmentation to limit exposure to BGP traffic from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Run 'tcpdump --version' and check if version is below 4.9.3

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

Confirm tcpdump version is 4.9.3 or higher with 'tcpdump --version | head -1'

📡 Detection & Monitoring

Log Indicators:

tcpdump crash logs
segmentation fault errors in system logs when running tcpdump

Network Indicators:

Unusual BGP traffic patterns targeting monitoring systems
Multiple BGP attribute updates in quick succession

SIEM Query:

process_name="tcpdump" AND (event_type="crash" OR exit_code="139")

📊 Metadata

CVE ID: CVE-2018-16300

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: October 3, 2019

Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16300, you might also want to check these: